Cisco Cisco IPS 4255 Sensor
32
Release Notes for Cisco Intrusion Prevention System 5.1(8)E3
OL-20155-01
Connecting IPS-4240 to a Cisco 7200 Series Router
The PIX and ASA Firewalls and other security devices support a feature known as TCP Sequence
Randomization. The initial TCP packets for a connection have their initial Sequence Numbers
randomized as they flow through the firewall. A sensor monitoring the side of the firewall where the
TCP client is located as well as monitoring the side of the firewall where the TCP server is located
sees the same TCP session twice, but with different sequence numbers. If the sensor is monitoring
in promiscuous mode, this can confuse the TCP Reassembly software and the sensor may not be able
to properly track the TCP Session and may not be able to send alerts for any attacks within the TCP
connection. If the sensor is monitoring in inline mode (inline interface pair, or inline VLAN pair),
it sees the TCP packets with the randomized sequence numbers as being out of order when compared
to the original sequence numbers. When this happens the inline sensor drops/denies the TCP packets
with the randomized sequence numbers and prevent the TCP connection from continuing.
Randomization. The initial TCP packets for a connection have their initial Sequence Numbers
randomized as they flow through the firewall. A sensor monitoring the side of the firewall where the
TCP client is located as well as monitoring the side of the firewall where the TCP server is located
sees the same TCP session twice, but with different sequence numbers. If the sensor is monitoring
in promiscuous mode, this can confuse the TCP Reassembly software and the sensor may not be able
to properly track the TCP Session and may not be able to send alerts for any attacks within the TCP
connection. If the sensor is monitoring in inline mode (inline interface pair, or inline VLAN pair),
it sees the TCP packets with the randomized sequence numbers as being out of order when compared
to the original sequence numbers. When this happens the inline sensor drops/denies the TCP packets
with the randomized sequence numbers and prevent the TCP connection from continuing.
•
After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest
software features.
software features.
•
IDM does not support any non-English characters, such as the German umlaut or any other special
language characters. If you enter such characters as a part of an object name through IDM, they are
turned into something unrecognizable and you will not be able to delete or edit the resulting object
through IDM or the CLI.
language characters. If you enter such characters as a part of an object name through IDM, they are
turned into something unrecognizable and you will not be able to delete or edit the resulting object
through IDM or the CLI.
This is true for any string that is used by CLI as an identifier, for example, names of time periods,
inspect maps, server and URL lists, and interfaces.
inspect maps, server and URL lists, and interfaces.
•
You can only install eight IDSM-2s per switch chassis.
•
Do not confuse Cisco IOS IDS (a software-based intrusion-detection application that runs in the
Cisco IOS) with the IPS that runs on the NM-CIDS. The NM-CIDS runs Cisco IPS 5.1(8)E3.
Because performance can be reduced and duplicate alarms can be generated, we recommend that
you do not run Cisco IOS IDS and Cisco IPS 5.1(8)E3 simultaneously.
Cisco IOS) with the IPS that runs on the NM-CIDS. The NM-CIDS runs Cisco IPS 5.1(8)E3.
Because performance can be reduced and duplicate alarms can be generated, we recommend that
you do not run Cisco IOS IDS and Cisco IPS 5.1(8)E3 simultaneously.
•
Only one NM-CIDS is supported per Cisco 2600, 2811, 2821 2851, 3825, 3845, and 3700 series
router.
router.
•
Jumbo frames are not supported on the NM-CIDS.
•
The HTML-based IDM has been replaced with a Java applet.
•
You cannot use IDS MC 2.0 to configure 5.1(8)E3 sensors. Support for 5.1(8)E3 sensors is being
added to IDS MC 2.1.
added to IDS MC 2.1.
•
When SensorApp is reconfigured there is a short period when SensorApp is unable to respond to any
queries. Wait a few minutes after reconfiguration is complete before querying SensorApp for
additional information.
queries. Wait a few minutes after reconfiguration is complete before querying SensorApp for
additional information.
Connecting IPS-4240 to a Cisco 7200 Series Router
When an IPS-4240 is connected directly to a 7200 series router and both the IPS-4240 and the router
interfaces are hard-coded to speed 100 with duplex Full, the connection does not work. If you set
IPS-4240 to speed Auto and duplex Auto, it connects to the router but only at speed 100 and duplex Half.
interfaces are hard-coded to speed 100 with duplex Full, the connection does not work. If you set
IPS-4240 to speed Auto and duplex Auto, it connects to the router but only at speed 100 and duplex Half.
To connect correctly at speed 100 and duplex Full, set the interfaces of both IPS-4240 and the router to
speed Auto and duplex Auto. Also, if either interface is hard-coded, you must make the connection using
a crossover cable.
speed Auto and duplex Auto. Also, if either interface is hard-coded, you must make the connection using
a crossover cable.